POYGet early access

POY · Legal

Law Enforcement Guidelines

How authorities can request data and what we hold.

Draft v0.1 — Effective date: [GO-LIVE DATE] (drafted 2026-06-08)

These Guidelines explain how law-enforcement and other government authorities can request data or content action from POY, what data POY actually holds, and how we respond. They are published for transparency and to make legitimate requests efficient. They are not legal advice and do not waive any legal requirement or right.

POY is operated by [CONTROLLER LEGAL NAME] from the United Kingdom, on Google/Firebase infrastructure. POY is a privacy-minimal, anonymous service — please read §3 carefully, as we hold far less data than a typical social network.

Single point of contact for authorities: [lawenforcement@heypoy.app / privacy@heypoy.app].

1. Principles

  • We comply with valid legal process and assist in genuine emergencies involving risk to life or serious harm — especially to children.
  • We require requests to be lawful, specific, and properly authorised, and we disclose only the minimum data legally required.
  • We log every request and disclosure, including the legal basis.
  • We notify affected users of requests for their data unless we are legally prohibited, or notice would risk life, a child's safety, an investigation, or evidence.

2. How to submit a request

Send requests from an official law-enforcement email domain, on letterhead where applicable, to [lawenforcement@heypoy.app]. Include:

  • the requesting agency, officer name, badge/ID, and contact details;
  • the legal instrument relied on (e.g. UK court order/warrant, RIPA/IPA authority, international request via MLAT, a US subpoena/court order/warrant if applicable, or an emergency-disclosure request);
  • the specific identifiers you have (see §3) — e.g. the phone number or in-app report reference;
  • the precise data sought and the time window; and
  • any non-disclosure requirement and its legal basis and duration.

We may need to verify the request's authenticity before responding. Overly broad, vague, or improperly authorised requests will be refused or narrowed.

3. What data POY holds (and doesn't)

POY collects very little. Authorities should calibrate requests accordingly:

We may hold:

  • A user's phone number (the only strong identifier) and opaque account ID (UID).
  • Self-declared date of birth and account/consent timestamps.
  • Content while it exists — but photos are public only 24 hours, "Decide" posts 5 min–24h, and everything is hard-deleted within 15 days.
  • Votes, counters, blocks, reports filed, and support messages.
  • Moderation records (strikes, warnings, ban status/reason) — these may persist longer.
  • Limited technical/log data (e.g. IP address and app/OS version around a request) processed by our infrastructure provider for security.

We do NOT hold: real names, email addresses, postal addresses, contacts, precise GPS location, payment details (no paid features yet), message/DM content (there are no DMs), profiles, or social-graph data. Voting is anonymous and aggregate — we cannot, in the normal course, tell you "who voted on a given post" beyond raw vote records tied to UIDs.

Because of ephemerality and 15-day deletion, content you need may no longer exist unless a preservation request (see §5) reaches us in time.

4. Types of request we accept

RequestWhat's needed
Basic subscriber data (e.g. phone number/UID linkage, account timestamps)Valid legal process appropriate to your jurisdiction
Content / records (a specific post if still retained, reports, support, moderation history)Court order/warrant or equivalent; specific and time-bound
Emergency disclosureA genuine, imminent risk to life or of serious harm (see §6)
PreservationA request to preserve specified data pending legal process (see §5)
Content removal / referralNotice of illegal content (we also act under our own Moderation policy)

International requests generally require routing through applicable legal-assistance channels (e.g. MLAT) unless an emergency applies. Some data may be held by our processor Google; where appropriate we may direct or coordinate with Google's law-enforcement process.

5. Preservation requests

Given our short retention, if you anticipate needing data, send a preservation request quickly, identifying the account (by phone number) and/or specific content and the data to preserve. We will, where lawful and technically feasible, preserve the specified data for an initial [90 days] (renewable on request) pending valid legal process. A preservation request does not itself authorise disclosure — that requires appropriate legal process.

6. Emergencies (risk to life / child safety)

In a genuine emergency involving an imminent risk of death or serious physical harm, or child sexual exploitation, we may voluntarily disclose relevant data to the appropriate authority in good faith, to the extent permitted by law, without other legal process. Mark such requests "EMERGENCY DISCLOSURE REQUEST" and include the nature of the emergency, the specific harm, and why the data is needed urgently. We record the justification for every emergency disclosure.

For child sexual abuse material, we also make proactive reports to the relevant authorities (e.g. NCMEC / the NCA / CEOP) and the IWF, and preserve evidence — see Moderation & Escalation §6.

7. User notice

We will notify a user before disclosing their data where reasonably possible, to give them an opportunity to object, unless prohibited by law or court order, or where notice would endanger life, a child, an investigation, or the integrity of evidence.

8. Costs, transparency & records

  • We may seek reimbursement of reasonable costs of responding where the law allows.
  • We keep a record of requests and may publish aggregate transparency reporting in future (Moderation & Escalation §10).
  • Requests, our responses, the legal basis, and any non-disclosure obligations are logged.

8a. Internal handling (for the POY team)

[Internal: route all requests to the data/safety lead; verify authenticity and authority; do not over-disclose; consult [legal] for anything beyond a clear, valid request; record in the request log; apply the user-notice rule above. See [Moderation & Escalation §8](MODERATION_AND_ESCALATION.md).]

9. Contact

[lawenforcement@heypoy.app / privacy@heypoy.app][CONTROLLER LEGAL NAME], [CONTROLLER ADDRESS].

[legal advice] Have a UK solicitor confirm references to UK powers (PACE/IPA), the MLAT/international wording, retention/preservation periods, and any US process before publishing.

Questions about this policy? Contact privacy@heypoy.app or visit our contact page.